Windows Kernel LPE CVE-2024-21338: Lazarus Group Exploits Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2024-21338 to its Known Exploited Vulnerabilities (KEV) catalog. This move follows reports that the Lazarus Group, a North Korean APT, has been actively utilizing this Zero-Day vulnerability to gain kernel-level access on targeted systems. According to BleepingComputer, federal agencies are mandated to patch this vulnerability by March 21, 2024, highlighting the urgency for both public and private sectors to address the threat.

Technical Analysis of Windows Kernel elevation of privilege CVE-2024-21338

This CVE represents a Privilege Escalation vulnerability within the Windows Kernel. Specifically, the flaw exists in the AppLocker driver (appid.sys), which is responsible for application identity services. The vulnerability arises from an improper handling of input/output control (IOCTL) requests. An attacker who already has local access to a system can exploit this flaw to transition from administrative privileges to the kernel level, effectively bypassing the security boundary between user mode and kernel mode.

While Microsoft initially assigned this vulnerability a CVSS score of 7.8, its real-world impact is significant because it facilitates an “admin-to-kernel” transition. In modern security architectures, reaching the kernel is the ultimate objective for attackers seeking to maintain persistence and evade detection. By operating at the kernel level, the Lazarus Group can manipulate system processes in a way that is invisible to standard security tools running in user space.

Lazarus Group rootkit deployment

Security researchers identified that the Lazarus Group integrated the exploit for CVE-2024-21338 into an updated version of their FudModule rootkit. This specific TTP allows the actor to perform direct kernel object manipulation (DKOM). By altering kernel structures, the rootkit can disable security products, such as EDR and antivirus agents, by unregistering their callbacks or terminating their protected processes.

This capability is a cornerstone of the Lazarus Group’s recent campaigns. By disabling defensive software, the attackers ensure that their subsequent activities—such as establishing C2 channels or moving laterally—remain undetected. This exploitation chain demonstrates a sophisticated understanding of Windows internals, specifically targeting drivers that are typically trusted by the operating system.

How to detect CVE-2024-21338 exploit

Identifying the use of this exploit requires monitoring for unusual activity related to the appid.sys driver. Defenders should configure their SIEM to flag any process other than the legitimate application identity service that attempts to interact with IOCTL codes associated with the AppLocker driver.

Furthermore, SOC teams should look for signs of security software failure. If an EDR agent suddenly stops reporting or its service is unexpectedly terminated on a host that has not been patched for the February 2024 cycle, it may indicate a successful Lateral Movement attempt or local escalation via the FudModule rootkit. Monitoring for the MITRE ATT&CK technique ‘Rootkit’ (T1014) is essential in this context.

Remediation and Mitigation

The primary remediation step is the immediate application of the Microsoft February 2024 cumulative updates. These patches address the IOCTL handling logic in the kernel to prevent the elevation of privilege. Beyond patching, organizations should adopt a Zero Trust architecture, ensuring that even users with administrative rights are strictly monitored and that their ability to load or interact with kernel drivers is limited by policy. Hardening the environment against unauthorized driver loading and utilizing hardware-based security features, such as Virtualization-Based Security (VBS), can provide additional layers of defense against kernel-mode threats.